Control: tags 787579 + patch Attached is a patch against courier 0.73.1-1.6 to fix the generation of weak dhparams. This causes the postinst to take a little while longer (it takes more time to find a 2048-bit safe prime than it does to find a 768-bit safe prime) but it will result in much safer protections for people using TLS with DHE to connect to courier IMAP.
--dkg
From 5f742eead3c3fea9c613769f207d41e32c2cce8c Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor <d...@fifthhorseman.net> Date: Wed, 3 Jun 2015 09:20:32 -0400 Subject: [PATCH] default mkdhparams should be much stronger than 768 bits. See https://weakdh.org/ about why 768-bit DHE is a terrible idea. This addresses https://bugs.debian.org/787579 --- libs/imap/mkdhparams.8.in | 2 +- libs/imap/mkdhparams.html.in | 2 +- libs/imap/mkdhparams.in | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/libs/imap/mkdhparams.8.in b/libs/imap/mkdhparams.8.in index 7a000a6..bf8bcc9 100644 --- a/libs/imap/mkdhparams.8.in +++ b/libs/imap/mkdhparams.8.in @@ -50,7 +50,7 @@ DH Parameter file\&. .PP BITS .RS 4 -Customize the DH parameter bit size\&. The default value depends on whether this script uses OpenSSL or GnuTLS libraries\&. For OpenSSL the default number of bits is 768\&. GnuTLS uses a security level setting, rather than the number of bits, and the default security level is "high"\&. +Customize the DH parameter bit size\&. The default value depends on whether this script uses OpenSSL or GnuTLS libraries\&. For OpenSSL the default number of bits is 2048\&. GnuTLS uses a security level setting, rather than the number of bits, and the default security level is "high"\&. .RE .SH "SEE ALSO" .PP diff --git a/libs/imap/mkdhparams.html.in b/libs/imap/mkdhparams.html.in index f2ed5a0..cccf908 100644 --- a/libs/imap/mkdhparams.html.in +++ b/libs/imap/mkdhparams.html.in @@ -18,7 +18,7 @@ information. </dd></dl></div></div><div class="refsect1"><a id="idm216331936704" shape="rect"> </a><h2>ENVIRONMENT VARIABLES</h2><div class="variablelist"><dl class="variablelist"><dt><span class="term">BITS</span></dt><dd> Customize the DH parameter bit size. The default value depends on whether this script uses OpenSSL or GnuTLS libraries. For OpenSSL - the default number of bits is 768. GnuTLS uses a security level + the default number of bits is 2048. GnuTLS uses a security level setting, rather than the number of bits, and the default security level is "high". </dd></dl></div></div><div class="refsect1"><a id="idm216331933632" shape="rect"> </a><h2>SEE ALSO</h2><p> diff --git a/libs/imap/mkdhparams.in b/libs/imap/mkdhparams.in index f5bddfa..7474d5f 100644 --- a/libs/imap/mkdhparams.in +++ b/libs/imap/mkdhparams.in @@ -25,7 +25,7 @@ if test "@ssllib@" = "openssl" then if test "$BITS" = "" then - BITS=768 + BITS=2048 fi dd if=@RANDOMV@ of=@certsdir@/dhparams.rand.tmp count=1 2>/dev/null -- 2.1.4
signature.asc
Description: PGP signature
